[
https://issues.apache.org/jira/browse/SLING-10676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17388852#comment-17388852
]
Bertrand Delacretaz commented on SLING-10676:
---------------------------------------------
Turns out adding these files was not needed, the default security policy
applies to all GitHub repos from the apache organization that don't have one.
For example https://github.com/apache/incubator-ponymail-foal/security/policy
displays https://github.com/apache/.github/blob/main/.github/SECURITY.md even
though there's no SECURITY.md at
https://github.com/apache/incubator-ponymail-foal
Anyway, with the one I added we have sling-specific security information, that
doesn't hurt.
> Add a SECURITY.MD file to all our Git repositories
> --------------------------------------------------
>
> Key: SLING-10676
> URL: https://issues.apache.org/jira/browse/SLING-10676
> Project: Sling
> Issue Type: Improvement
> Components: Documentation
> Reporter: Bertrand Delacretaz
> Assignee: Bertrand Delacretaz
> Priority: Minor
>
> We should add
> [https://github.com/apache/.github/blob/main/.github/SECURITY.md] to all our
> repositories (but linking to [1]), as per
> [https://twitter.com/iamamoose/status/1417104695626240001:]
> {quote}All Apache projects follow the default ASF security policy; but not
> all have a github SECURITY․md file, and they get penalised, i.e. with lower
> #openssf scorecard scores
> ([http://metrics.openssf.org|http://metrics.openssf.org/])
> {quote}
> Tentatively assigning to myself but if someone beats me to it I'd be happy!
> [1] https://sling.apache.org/project-information/security.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
